<!--
  This file is a part of the open-eBackup project.
  This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0.
  If a copy of the MPL was not distributed with this file, You can obtain one at
  http://mozilla.org/MPL/2.0/.
  
  Copyright (c) [2024] Huawei Technologies Co.,Ltd.
  
  THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
  EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
  MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
  -->


<!--
  This file is a part of the open-eBackup project.
  This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0.
  If a copy of the MPL was not distributed with this file, You can obtain one at
  http://mozilla.org/MPL/2.0/.
  
  Copyright (c) [2024] Huawei Technologies Co.,Ltd.
  
  THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
  EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
  MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
  -->

<!--
  This file is a part of the open-eBackup project.
  This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0.
  If a copy of the MPL was not distributed with this file, You can obtain one at
  http://mozilla.org/MPL/2.0/.
  
  Copyright (c) [2024] Huawei Technologies Co.,Ltd.
  
  THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
  EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
  MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
  -->

<!--
  This file is a part of the open-eBackup project.
  This Source Code Form is subject to the terms of the Mozilla Public License, v. 2.0.
  If a copy of the MPL was not distributed with this file, You can obtain one at
  http://mozilla.org/MPL/2.0/.
  
  Copyright (c) [2024] Huawei Technologies Co.,Ltd.
  
  THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND,
  EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT,
  MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE.
  -->

<!DOCTYPE html
  PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-us" xml:lang="en-us">
<head>
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
   
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="DC.Type" content="topic">
<meta name="DC.Title" content="Implementation Principles">
<meta name="DC.Format" content="XHTML">
<meta name="DC.Identifier" content="EN-US_TOPIC_0000001839264693">
<meta name="DC.Language" content="en-us">
<link rel="stylesheet" type="text/css" href="public_sys-resources/commonltr.css">
<title>Implementation Principles</title>
</head>
<body style="clear:both; padding-left:10px; padding-top:5px; padding-right:5px; padding-bottom:5px"><a name="EN-US_TOPIC_0000001839264693"></a><a name="EN-US_TOPIC_0000001839264693"></a>

<h1 class="topictitle1">Implementation Principles</h1>
<div><p>This section describes the principles of ransomware detection. The system detects ransomware for backup and replication copies in static or dynamic mode.</p>
<div class="section"><h4 class="sectiontitle">Detection Mode</h4><p><strong>Static detection</strong></p>
<p>Ransomware detection is performed based on a single copy and known features.</p>
<p>Ransomware usually behaves as follows:</p>
<ul><li>Add suffixes to encrypted files.</li><li>Leave ransomware message files (ransomware emails).</li></ul>
<p>You can use suffixes and ransomware emails to check whether the copy is infected by known ransomware.</p>
<p><strong>Dynamic detection</strong></p>
<p>Change behaviors of copy data are detected.</p>
<p>Quickly extract several basic change characteristics based on copy metadata features to determine whether the changes are suspicious. If they are suspicious, extract the all change characteristics of the copy and use the machine learning algorithm to determine whether the copy is infected by ransomware. <a href="#EN-US_TOPIC_0000001839264693__en-us_topic_0000001263776234_table371419306541">Table 1</a> shows basic change characteristics.</p>

<div class="tablenoborder"><a name="EN-US_TOPIC_0000001839264693__en-us_topic_0000001263776234_table371419306541"></a><a name="en-us_topic_0000001263776234_table371419306541"></a><table cellpadding="4" cellspacing="0" summary="" id="EN-US_TOPIC_0000001839264693__en-us_topic_0000001263776234_table371419306541" frame="border" border="1" rules="all"><caption><b>Table 1 </b>Basic change characteristics</caption><colgroup><col style="width:22.85%"><col style="width:29.880000000000003%"><col style="width:47.260000000000005%"></colgroup><thead align="left"><tr><th align="left" class="cellrowborder" valign="top" width="22.852285228522852%" id="mcps1.3.2.10.2.4.1.1"><p>Characteristic</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="29.882988298829883%" id="mcps1.3.2.10.2.4.1.2"><p>Detail</p>
</th>
<th align="left" class="cellrowborder" valign="top" width="47.26472647264727%" id="mcps1.3.2.10.2.4.1.3"><p>Description</p>
</th>
</tr>
</thead>
<tbody><tr><td class="cellrowborder" valign="top" width="22.852285228522852%" headers="mcps1.3.2.10.2.4.1.1 "><p>Modified file ratio</p>
</td>
<td class="cellrowborder" valign="top" width="29.882988298829883%" headers="mcps1.3.2.10.2.4.1.2 "><p>Number of modified files/Total number of original files</p>
</td>
<td class="cellrowborder" valign="top" width="47.26472647264727%" headers="mcps1.3.2.10.2.4.1.3 "><p>Whether many file modification events exist in the system.</p>
</td>
</tr>
<tr><td class="cellrowborder" valign="top" width="22.852285228522852%" headers="mcps1.3.2.10.2.4.1.1 "><p>Extension type change ratio</p>
</td>
<td class="cellrowborder" valign="top" width="29.882988298829883%" headers="mcps1.3.2.10.2.4.1.2 "><p>(Number of extensions of changed files before and after the change – Number of same extensions of changed files before and after the change)/Number of extension types of changed files before the change</p>
</td>
<td class="cellrowborder" valign="top" width="47.26472647264727%" headers="mcps1.3.2.10.2.4.1.3 "><p>File name extensions are seldom changed but ransomware usually adds specific or random extensions. If the number and types of many extensions are changed, ransomware encryption may exist.</p>
</td>
</tr>
<tr><td class="cellrowborder" valign="top" width="22.852285228522852%" headers="mcps1.3.2.10.2.4.1.1 "><p>Ratio of file header types to file name extension types after change</p>
</td>
<td class="cellrowborder" valign="top" width="29.882988298829883%" headers="mcps1.3.2.10.2.4.1.2 "><p>Number of file header types after change/Number of file name extensions after change</p>
</td>
<td class="cellrowborder" valign="top" width="47.26472647264727%" headers="mcps1.3.2.10.2.4.1.3 "><p>Files with the same extensions start with the same file headers so that there are few file header types. However, most ransomware also encrypts file headers and causes more different file headers. Therefore, this ratio can be used to determine whether ransomware infection exists.</p>
</td>
</tr>
<tr><td class="cellrowborder" valign="top" width="22.852285228522852%" headers="mcps1.3.2.10.2.4.1.1 "><p>File type change ratio</p>
</td>
<td class="cellrowborder" valign="top" width="29.882988298829883%" headers="mcps1.3.2.10.2.4.1.2 "><p>Number of changed file types/Total number of changed files</p>
</td>
<td class="cellrowborder" valign="top" width="47.26472647264727%" headers="mcps1.3.2.10.2.4.1.3 "><p>File types are changed after ransomware encryption. File types are seldom changed in file systems. If most of changed files have types changed, ransomware encryption may exist.</p>
</td>
</tr>
<tr><td class="cellrowborder" valign="top" width="22.852285228522852%" headers="mcps1.3.2.10.2.4.1.1 "><p>Entropy increase ratio in changed files</p>
</td>
<td class="cellrowborder" valign="top" width="29.882988298829883%" headers="mcps1.3.2.10.2.4.1.2 "><p>Number of changed files with entropy increase &gt; 1/Total number of changed files</p>
</td>
<td class="cellrowborder" valign="top" width="47.26472647264727%" headers="mcps1.3.2.10.2.4.1.3 "><p>Ransomware encryption usually increases file entropies. If there are many changed files whose entropy increase is more than 1, ransomware encryption may exist.</p>
</td>
</tr>
<tr><td class="cellrowborder" valign="top" width="22.852285228522852%" headers="mcps1.3.2.10.2.4.1.1 "><p>New file ratio</p>
</td>
<td class="cellrowborder" valign="top" width="29.882988298829883%" headers="mcps1.3.2.10.2.4.1.2 "><p>Number of new files/Total number of original files</p>
</td>
<td class="cellrowborder" valign="top" width="47.26472647264727%" headers="mcps1.3.2.10.2.4.1.3 "><p>Whether many file creation events exist in the system.</p>
</td>
</tr>
<tr><td class="cellrowborder" valign="top" width="22.852285228522852%" headers="mcps1.3.2.10.2.4.1.1 "><p>Ratio of file header types to file name extension types of new files</p>
</td>
<td class="cellrowborder" valign="top" width="29.882988298829883%" headers="mcps1.3.2.10.2.4.1.2 "><p>File header types of new files/File name extension types of new files</p>
</td>
<td class="cellrowborder" valign="top" width="47.26472647264727%" headers="mcps1.3.2.10.2.4.1.3 "><p>The principle is the same as that of "Ratio of file header types to file name extension types after change". This ratio can be used to determine whether ransomware infection exists.</p>
</td>
</tr>
<tr><td class="cellrowborder" valign="top" width="22.852285228522852%" headers="mcps1.3.2.10.2.4.1.1 "><p>Ratio of new high-entropy files</p>
</td>
<td class="cellrowborder" valign="top" width="29.882988298829883%" headers="mcps1.3.2.10.2.4.1.2 "><p>Number of new files with a high entropy (&gt; 6)/Number of new files</p>
</td>
<td class="cellrowborder" valign="top" width="47.26472647264727%" headers="mcps1.3.2.10.2.4.1.3 "><p>The entropy of files encrypted by ransomware is usually greater than 6 (entropy of normal files &lt; 6). This ratio can be used to determine whether ransomware infection exists.</p>
</td>
</tr>
</tbody>
</table>
</div>
</div>
<div class="section"><h4 class="sectiontitle">Constraints</h4><ul><li>Static detection has the following constraints:<ul><li>Unknown ransomware cannot be detected.</li><li>The list of infected files cannot be exported.</li></ul>
</li><li>Multi-copy dynamic detection has the following constraints:<ul><li>The first copy of a resource cannot be detected.</li><li>A specific file cannot be detected as infected or not.</li></ul>
</li></ul>
</div>
<div class="section"><h4 class="sectiontitle">Detection Process</h4><p>Dynamic detection is executed by default, and can be enabled or disabled.</p>
<ul><li>If dynamic detection is enabled, the system starts static detection first and stops the detection if the copy is detected as infected. If no infection is identified, dynamic detection is performed.</li><li>If dynamic detection is disabled, the system performs static detection on the copy.</li></ul>
<p><a href="#EN-US_TOPIC_0000001839264693__en-us_topic_0000001263776234_fig25709330223">Figure 1</a> shows the detection process.</p>
<div class="fignone" id="EN-US_TOPIC_0000001839264693__en-us_topic_0000001263776234_fig25709330223"><a name="EN-US_TOPIC_0000001839264693__en-us_topic_0000001263776234_fig25709330223"></a><a name="en-us_topic_0000001263776234_fig25709330223"></a><span class="figcap"><b>Figure 1 </b>Ransomware detection process</span><br><span><img class="eddx" src="en-us_image_0000001792545456.png"></span></div>
</div>
</div>

<div class="hrcopyright"><hr size="2"></div><div class="hwcopyright">Copyright &copy; Huawei Technologies Co., Ltd.</div></body>
</html>